Skip to Content
TS-RDC-04 Trust & Stewardship Risk, Data & Compliance CORE Compliance v2.9.7

Serious-incident reporting & escalation

Assesses whether the organization has a clear, documented process for identifying, reporting, and escalating serious incidents to the board and all relevant regulatory bodies in a timely manner. The organization must maintain an ‘Applicable Regulators Matrix’ mapping its activities (e.g., children’s work, healthcare, housing, overseas operations) to relevant notification regimes (e.g., Charity Commission/OSCR/CCNI, ICO, HSE/RIDDOR, LADO/police, OfS, CQC/Ofsted/RSH, HMRC, Fundraising Regulator) to ensure precise compliance.

Assessment Questions
  1. Does the organization maintain an ‘Applicable Regulators Matrix’ mapping activities to specific notification regimes (e.g., CC, ICO, RIDDOR, LADO)?
  2. Does the policy clearly define what constitutes a 'serious incident' and provide examples relevant to the organization's activities?
  3. Who has delegated authority to decide 'report/not report', and how is trustee oversight of these decisions evidenced?
  4. Can you walk through a safeguarding incident: immediate actions, LADO/police/DBS referrals, and the timing of charity regulator notification?
  5. Can the organization provide evidence (e.g., incident logs, board minutes) demonstrating that the process is followed consistently and that escalations occur in a timely manner?
  6. Is there a formal process for reviewing serious incidents to identify root causes and implement corrective actions to prevent recurrence?
  7. What is the conflict-free escalation route if the SIR Lead/CEO/Chair is implicated?
  8. What are your specific timelines for Charity Commission, ICO (72h), RIDDOR, safeguarding (immediate), and sector regulators, and how are they monitored?
  9. Do you conduct annual incident tabletop exercises and record outcomes?
  10. How are overseas incidents and local legal requirements handled?
Evidence Requirements
  • A copy of the current Serious Incident Reporting Policy and Procedure.
  • The 'Applicable Regulators Matrix' reviewed within the last 12 months.
  • Anonymized incident log or register for the last 12-24 months.
  • Regulator notification checklists/templates (RSI/OSCR/CCNI; ICO breach form; RIDDOR; LADO/police referral template).
  • Sample (redacted) submissions with regulator reference numbers for each regime used in the last 24 months.
  • Evidence of 'not report' decisions with documented rationale in the decision log.
  • Minutes of board/trustee meetings where serious incidents were discussed and actions were agreed upon.
  • Training materials and attendance records related to the Serious Incident Reporting policy.
  • Whistleblowing/speak-up policy statement, handling SOP, and quarterly anonymised metrics.
  • Records of tabletop exercises and post-exercise action plans.
Scoring Guidelines
LevelRatingDescription
5 5/5 Comprehensive policy; annual tabletop + independent assurance every 2–3 years evidenced; measurable reduction in repeat incidents; actions closed on time ≥90%.
4 4/5 Documented policy followed correctly; board receives at least biannual assurance report including timeliness metrics and sample file review.
3 3/5 Policy exists but staff awareness is limited or reporting is delayed; ad-hoc learning.
2 2/5 No formal policy or roles.
1 1/5 Documented failure to report or regulator censure.

Related Criteria

TS-RDC-01 Multi‑scenario financial stress‑testing documented TS-RDC-02 Complaints & whistle-blowing mechanism TS-RDC-03 Due-diligence on delivery partners TS-RDC-05 Cyber-security baseline (NCSC Cyber Essentials – UK) TS-RDC-06 GDPR accountability & DPIA log
Version
2.9.7 2025-11-05

Discussion (1)

Administrator 2026-03-07 11:07:51.096258

📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json

Sign in to post a comment.

Back to Criteria